Where Are You in Your Zero-Trust Maturity?

Stage 1: Pre-Zero Trust

Most organizations are turning to zero trust, but this also means they don’t start out with it. In this pre-zero trust stage, businesses have traditional, perimeter-based security models with a high degree of implicit trust within their networks. Security controls primarily focus on network boundaries and don’t emphasize least-privilege access or other fundamentals of zero trust.

To advance from this stage, organizations must assess their present security setups to gain a holistic understanding of their strengths and weaknesses. Next, they should explore security options to overcome these shortcomings — which can lead to awareness of zero trust.

Stage 2: Awareness of Zero Trust

Perimeter-based security has its pros, but it also has major cons. For instance, this security approach “only distrusts factors outside the existing network,” according to Fortinet. “Once a threat is able to cross the moat and get inside the network, it has free rein to wreak havoc within the castle that is your system.”

At this stage, having recognized these and other limitations of traditional security models, organizations commonly develop an awareness of zero-trust concepts. To advance along the maturity continuum, however, knowledge is not enough. It must be actualized in the form of adoption.

DISCOVER: Why a cyber resilience strategy is crucial for business success.

Stage 3: Early Zero-Trust Adoption

Early adoption is the first stage in the Cybersecurity & Infrastructure Security Agency’s Zero Trust Maturity Model. “This includes manual configurations and assignment of attributes, static security policies and coarse dependencies on external systems, along with manual incident response and mitigation processes,” writes John Candillo, a CDW field CISO in a recent blog. “Currently, this is the stage at which most organizations find themselves.”

During early adoption, an organization may implement zero-trust components such as multifactor authentication or basic identity and access management controls. But to progress further, IT leaders must enact additional zero-trust policies and be strategic about their zero-trust security posture.

Stage 4: Intermediate Zero Trust

According to the 2024 CDW Cybersecurity Research report, only 47 percent of IT leaders surveyed say they are very confident that they have sufficient visibility into their organizations’ cybersecurity landscapes. The rest would like to see a clearer view into their entire IT ecosystem so they can assess fault lines between integrations, network connections, etc. before a threat escalates. 

This intermediate stage can encompass the second stage of the CISA maturity model, in which “automation is introduced,” according to Candillo. “This includes attribute assignment and configuration of lifecycles, policy decisions and enforcement, and initial cross-pillar solutions with integration of external systems.”

Organizations at this intermediate stage are also actively planning and evaluating their security posture in relation to zero-trust principles. They are conducting assessments and gap analyses to identify areas of improvement and are developing strategies and roadmaps for further zero-trust adoption.

“Tools such as effective identity and access management solutions are necessary, but they must be deployed strategically and integrated with other elements, such as data governance,” Candillo and other CDW experts write in another white paper. “Among the most critical use cases for zero trust are implementing principles within an organization’s backup and recovery systems, enhancing the secure experience of remote workers and securing complex cloud infrastructures.”

RELATED: Try a rapid zero-trust maturity assessment.

Stage 5: Advanced Zero Trust

At this stage, organizations have already integrated multiple zero-trust components into their security infrastructure and have an ongoing monitoring and optimization process in place. They are running continuous monitoring, so threat detection and response capabilities are part of security operations.

Emphasizing centralized visibility and identity control, dynamic policies based on automated or observed triggers, and alignment with open standards for cross-functional interoperability, this stage can encompass the final two levels of the CISA maturity model.

In transitioning to this stage, organizations will “find that their solutions rely more heavily upon automated processes, systems are integrated across pillars, and they become more dynamic in their policy enforcement decisions,” according to Candillo.

READ MORE: Build a zero-trust model for your network.

Organizations that achieve this highest level of maturity have fully embraced the zero-trust model as part of their security culture. But those who aren’t there yet can take a number of steps to improve, including gap analyses, benchmarking, self-assessments and a rapid maturity assessment. And no matter the stage, help is available for organizations to develop roadmaps, budgets and security policies to push forward.